GSA outlines requirements, schedule for cloud vendor reviews

Jan. 12, 2012 - 06:00AM
|

The first reviews under the Federal Risk and Authorization Management Program will start by June, according to the GSA. (Jim Watson / AFP via Getty Images)

ADVERTISEMENT

The first wave of cloud-computing vendors is expected to complete new mandatory security reviews by Oct. 1.

The first reviews under the Federal Risk and Authorization Management Program (FedRAMP) will start by June and should be completed this fiscal year or shortly after, said Katie Lewin, program manager for cloud computing at the General Services Administration. Lewin and other GSA officials spoke at a FedRAMP industry event on Wednesday.

GSA, which manages FedRAMP, released last week more than 100 security requirements cloud vendors will have to meet if they want to provide services to federal agencies. Once FedRAMP begins to conduct vendor reviews on a regular basis, agencies will have two years to ensure that current and future cloud technologies meet the new requirements, which are based on standards set by the National Institute of Standards and Technology.

Dave McClure associate administrator of GSA's Office of Citizen Services and Innovative Technologies, added, however, that the security requirements and FedRAMP are not "an end state" but will evolve.

"What we are putting in place is the first of many steps of trying to get this program up and running in a timely manner but also one that's efficient," he said. He encouraged vendors to voice their concerns and suggestions for improving FedRAMP.

Lewin highlighted security requirements vendors most often struggle to meet. For example, vendors must be able to prove that their systems operators, who have access to systems that provide government services, use two-factor authentication. This requires users to provide two forms of evidence, such as a password and identification card, to verify who they are before accessing the systems.

Companies that provide cloud technology to agencies under GSA's Infrastructure-as-a-Service contract and those with existing contracts that provide popular cloud services, such as email services, will be among the first to have their cloud products and solutions vetted under FedRAMP.